Change log of AWS IAM permissions

2022-12-03

51 new actions, 8 new resources, 10 new conditions

Additions

Actions

CreateAccessLogSubscription
- Description: Grants permission to create an access log subscription
- Access: Write
- Resources:
  Name: AccessLogSubscription
  
  Required: Yes
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
- Dependents:
  logs:CreateLogDelivery
  
  logs:GetLogDelivery
CreateListener
- Description: Grants permission to create a listener
- Access: Write
- Resources:
  Name: Listener
  
  Required: Yes
- Conditions:
  vpc-lattice:Protocol
  
  vpc-lattice:TargetGroupArns
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
CreateRule
- Description: Grants permission to create a rule
- Access: Write
- Resources:
  Name: Rule
  
  Required: Yes
- Conditions:
  vpc-lattice:TargetGroupArns
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
CreateService
- Description: Grants permission to create a service
- Access: Write
- Resources:
  Name: Service
  
  Required: Yes
- Conditions:
  vpc-lattice:AuthType
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
- Dependents:
  iam:CreateServiceLinkedRole
CreateServiceNetwork
- Description: Grants permission to create a service network
- Access: Write
- Resources:
  Name: ServiceNetwork
  
  Required: Yes
- Conditions:
  vpc-lattice:AuthType
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
- Dependents:
  iam:CreateServiceLinkedRole
CreateServiceNetworkServiceAssociation
- Description: Grants permission to create a service network and service association
- Access: Write
- Resources:
  Name: Service
  
  Required: Yes
  
  Name: ServiceNetwork
  
  Required: Yes
  
  Name: ServiceNetworkServiceAssociation
  
  Required: Yes
- Conditions:
  vpc-lattice:ServiceNetworkArn
  
  vpc-lattice:ServiceArn
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
CreateServiceNetworkVpcAssociation
- Description: Grants permission to create a service network and VPC association
- Access: Write
- Resources:
  Name: ServiceNetwork
  
  Required: Yes
  
  Name: ServiceNetworkVpcAssociation
  
  Required: Yes
- Conditions:
  vpc-lattice:VpcId
  
  vpc-lattice:ServiceNetworkArn
  
  vpc-lattice:SecurityGroupIds
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
- Dependents:
  ec2:DescribeVpcs
CreateTargetGroup
- Description: Grants permission to create a target group
- Access: Write
- Resources:
  Name: TargetGroup
  
  Required: Yes
- Conditions:
  vpc-lattice:VpcId
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
- Dependents:
  iam:CreateServiceLinkedRole
DeleteAccessLogSubscription
- Description: Grants permission to delete an access log subscription
- Access: Write
- Resources:
  Name: AccessLogSubscription
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
- Dependents:
  logs:DeleteLogDelivery
  
  logs:GetLogDelivery
DeleteAuthPolicy
- Description: Grants permission to delete an auth policy
- Access: Permissions management
- Resources:
  Name: Service
  
  Required: No
  
  Name: ServiceNetwork
  
  Required: No
DeleteListener
- Description: Grants permission to delete a listener
- Access: Write
- Resources:
  Name: Listener
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteResourcePolicy
- Description: Grants permission to delete a resource policy
- Access: Write
- Resources:
  Name: Service
  
  Required: No
  
  Name: ServiceNetwork
  
  Required: No
DeleteRule
- Description: Grants permission to delete a rule
- Access: Write
- Resources:
  Name: Rule
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteService
- Description: Grants permission to delete a service
- Access: Write
- Resources:
  Name: Service
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteServiceNetwork
- Description: Grants permission to delete a service network
- Access: Write
- Resources:
  Name: ServiceNetwork
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteServiceNetworkServiceAssociation
- Description: Grants permission to delete a service network service association
- Access: Write
- Resources:
  Name: ServiceNetworkServiceAssociation
  
  Required: Yes
- Conditions:
  vpc-lattice:ServiceNetworkArn
  
  vpc-lattice:ServiceArn
  
  aws:ResourceTag/${TagKey}
DeleteServiceNetworkVpcAssociation
- Description: Grants permission to delete a service network and VPC association
- Access: Write
- Resources:
  Name: ServiceNetworkVpcAssociation
  
  Required: Yes
- Conditions:
  vpc-lattice:VpcId
  
  vpc-lattice:ServiceNetworkArn
  
  aws:ResourceTag/${TagKey}
DeleteTargetGroup
- Description: Grants permission to delete a target group
- Access: Write
- Resources:
  Name: TargetGroup
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeregisterTargets
- Description: Grants permission to deregister targets from a target group
- Access: Write
- Resources:
  Name: TargetGroup
  
  Required: Yes
GetAccessLogSubscription
- Description: Grants permission to get information about an access log subscription
- Access: Read
- Resources:
  Name: AccessLogSubscription
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
- Dependents:
  logs:GetLogDelivery
GetAuthPolicy
- Description: Grants permission to get information about an auth policy
- Access: Read
- Resources:
  Name: Service
  
  Required: No
  
  Name: ServiceNetwork
  
  Required: No
GetListener
- Description: Grants permission to get information about a listener
- Access: Read
- Resources:
  Name: Listener
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetResourcePolicy
- Description: Grants permission to get information about a resource policy
- Access: Read
- Resources:
  Name: Service
  
  Required: No
  
  Name: ServiceNetwork
  
  Required: No
GetRule
- Description: Grants permission to get information about a rule
- Access: Read
- Resources:
  Name: Rule
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetService
- Description: Grants permission to get information about a service
- Access: Read
- Resources:
  Name: Service
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetServiceNetwork
- Description: Grants permission to get information about a service network
- Access: Read
- Resources:
  Name: ServiceNetwork
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetServiceNetworkServiceAssociation
- Description: Grants permission to get information about a service network and service association
- Access: Read
- Resources:
  Name: ServiceNetworkServiceAssociation
  
  Required: Yes
- Conditions:
  vpc-lattice:ServiceNetworkArn
  
  vpc-lattice:ServiceArn
  
  aws:ResourceTag/${TagKey}
GetServiceNetworkVpcAssociation
- Description: Grants permission to get information about a service network and VPC association
- Access: Read
- Resources:
  Name: ServiceNetworkVpcAssociation
  
  Required: Yes
- Conditions:
  vpc-lattice:VpcId
  
  vpc-lattice:ServiceNetworkArn
  
  aws:ResourceTag/${TagKey}
GetTargetGroup
- Description: Grants permission to get information about a target group
- Access: Read
- Resources:
  Name: TargetGroup
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListAccessLogSubscriptions
- Description: Grants permission to list some or all access log subscriptions about a service network or a service
- Access: List
ListListeners
- Description: Grants permission to list some or all listeners
- Access: List
ListRules
- Description: Grants permission to list some or all rules
- Access: List
ListServiceNetworkServiceAssociations
- Description: Grants permission to list some or all service network and service associations
- Access: List
- Conditions:
  vpc-lattice:ServiceNetworkArn
  
  vpc-lattice:ServiceArn
ListServiceNetworkVpcAssociations
- Description: Grants permission to list some or all service network and VPC associations
- Access: List
- Conditions:
  vpc-lattice:VpcId
  
  vpc-lattice:ServiceNetworkArn
ListServiceNetworks
- Description: Grants permission to list the service networks owned by a caller account or shared with the caller account
- Access: List
ListServices
- Description: Grants permission to list the services owned by a caller account or shared with the caller account
- Access: List
ListTagsForResource
- Description: Grants permission to list tags for a vpc-lattice resource
- Access: Read
ListTargetGroups
- Description: Grants permission to list some or all target groups
- Access: List
ListTargets
- Description: Grants permission to list some or all targets in a target group
- Access: List
- Resources:
  Name: TargetGroup
  
  Required: Yes
PutAuthPolicy
- Description: Grants permission to create or update the auth policy for a service network or a service
- Access: Permissions management
- Resources:
  Name: Service
  
  Required: No
  
  Name: ServiceNetwork
  
  Required: No
PutResourcePolicy
- Description: Grants permission to create a resource policy for a service network or a service
- Access: Write
- Resources:
  Name: Service
  
  Required: No
  
  Name: ServiceNetwork
  
  Required: No
RegisterTargets
- Description: Grants permission to register targets to a target group
- Access: Write
- Resources:
  Name: TargetGroup
  
  Required: Yes
TagResource
- Description: Grants permission to tag a vpc-lattice resource
- Access: Tagging
- Resources:
  Name: AccessLogSubscription
  
  Required: No
  
  Name: Listener
  
  Required: No
  
  Name: Rule
  
  Required: No
  
  Name: Service
  
  Required: No
  
  Name: ServiceNetwork
  
  Required: No
  
  Name: ServiceNetworkServiceAssociation
  
  Required: No
  
  Name: ServiceNetworkVpcAssociation
  
  Required: No
  
  Name: TargetGroup
  
  Required: No
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
UntagResource
- Description: Grants permission to untag a vpc-lattice resource
- Access: Tagging
- Resources:
  Name: AccessLogSubscription
  
  Required: No
  
  Name: Listener
  
  Required: No
  
  Name: Rule
  
  Required: No
  
  Name: Service
  
  Required: No
  
  Name: ServiceNetwork
  
  Required: No
  
  Name: ServiceNetworkServiceAssociation
  
  Required: No
  
  Name: ServiceNetworkVpcAssociation
  
  Required: No
  
  Name: TargetGroup
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateAccessLogSubscription
- Description: Grants permission to update an access log subscription
- Access: Write
- Resources:
  Name: AccessLogSubscription
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
- Dependents:
  logs:GetLogDelivery
  
  logs:UpdateLogDelivery
UpdateListener
- Description: Grants permission to update a listener
- Access: Write
- Resources:
  Name: Listener
  
  Required: Yes
- Conditions:
  vpc-lattice:TargetGroupArns
  
  aws:ResourceTag/${TagKey}
UpdateRule
- Description: Grants permission to update a rule
- Access: Write
- Resources:
  Name: Rule
  
  Required: Yes
- Conditions:
  vpc-lattice:TargetGroupArns
  
  aws:ResourceTag/${TagKey}
UpdateService
- Description: Grants permission to update a service
- Access: Write
- Resources:
  Name: Service
  
  Required: Yes
- Conditions:
  vpc-lattice:AuthType
  
  aws:ResourceTag/${TagKey}
UpdateServiceNetwork
- Description: Grants permission to update a service network
- Access: Write
- Resources:
  Name: ServiceNetwork
  
  Required: Yes
- Conditions:
  vpc-lattice:AuthType
  
  aws:ResourceTag/${TagKey}
UpdateServiceNetworkVpcAssociation
- Description: Grants permission to update a service network and VPC association
- Access: Write
- Resources:
  Name: ServiceNetworkVpcAssociation
  
  Required: Yes
- Conditions:
  vpc-lattice:VpcId
  
  vpc-lattice:ServiceNetworkArn
  
  vpc-lattice:SecurityGroupIds
  
  aws:ResourceTag/${TagKey}
- Dependents:
  ec2:DescribeSecurityGroups
  
  ec2:DescribeVpcs
UpdateTargetGroup
- Description: Grants permission to update a target group
- Access: Write
- Resources:
  Name: TargetGroup
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}

Resources

ServiceNetwork
- Arn: arn:${Partition}:vpc-lattice::${Account}:servicenetwork/${ServiceNetworkId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:AuthType
Service
- Arn: arn:${Partition}:vpc-lattice::${Account}:service/${ServiceId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:AuthType
ServiceNetworkVpcAssociation
- Arn: arn:${Partition}:vpc-lattice::${Account}:servicenetworkvpcassociation/${ServiceNetworkVpcAssociationId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:SecurityGroupIds
  
  vpc-lattice:ServiceNetworkArn
  
  vpc-lattice:VpcId
ServiceNetworkServiceAssociation
- Arn: arn:${Partition}:vpc-lattice::${Account}:servicenetworkserviceassociation/${ServiceNetworkServiceAssociationId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:ServiceArn
  
  vpc-lattice:ServiceNetworkArn
TargetGroup
- Arn: arn:${Partition}:vpc-lattice::${Account}:targetgroup/${TargetGroupId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:VpcId
Listener
- Arn: arn:${Partition}:vpc-lattice::${Account}:service/${ServiceId}/listener/${ListenerId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:Protocol
  
  vpc-lattice:TargetGroupArns
Rule
- Arn: arn:${Partition}:vpc-lattice::${Account}:service/${ServiceId}/listener/${ListenerId}/rule/${RuleId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:TargetGroupArns
AccessLogSubscription
- Arn: arn:${Partition}:vpc-lattice::${Account}:accesslogsubscription/${AccessLogSubscriptionId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the presence of tag key-value pairs in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by tag key-value pairs attached to the resource
- Type: String
aws:TagKeys
- Description: Filters access by the presence of tag keys in the request
- Type: ArrayOfString
vpc-lattice:AuthType
- Description: Filters access by the auth type specified in the request
- Type: String
vpc-lattice:Protocol
- Description: Filters access by the protocol specified in the request
- Type: String
vpc-lattice:SecurityGroupIds
- Description: Filters access by the IDs of security groups
- Type: ArrayOfString
vpc-lattice:ServiceArn
- Description: Filters access by the ARN of a service
- Type: String
vpc-lattice:ServiceNetworkArn
- Description: Filters access by the ARN of a service network
- Type: String
vpc-lattice:TargetGroupArns
- Description: Filters access by the ARNs of target groups
- Type: ArrayOfString
vpc-lattice:VpcId
- Description: Filters access by the ID of a virtual private cloud (VPC)
- Type: String

Amazon VPC Lattice (vpc-lattice)

Additions